Tuesday, December 19, 2017

To writing the actual policy for SELinux application, you can get many of the permissions your application needs by running.
First test if is installed into your Fedora distro.
I used Fedora 27 with SELinux set Enforcing.
If your application is named my_app then use this command:

sepolgen --init /path/to/my_app

The result of this command will be this:

app.fc
my_app.sh
my_app.if
my_app_selinux.spec
my_app.te

If your application will be a rpm package, you can delete app.spec and app.sh.
The file with extension .te is a Type Enforcement file.

About this five files, the Linux help tells us:

Type Enforcing File NAME.te
This file can be used to define all the types rules for a particular domain.
Note: Policy generated by sepolicy generate will automatically add a permissive DOMAIN
to your te file. When you are satisfied that your policy works, you need to remove
the permissive line from the te file to run your domain in enforcing mode.
Interface File NAME.if
This file defines the interfaces for the types generated in the te file, which can
be used by other policy domains.
File Context NAME.fc
This file defines the default file context for the system, it takes the file types
created in the te file and associates file paths to the types. Tools like restorecon
and RPM will use these paths to put down labels.
RPM Spec File NAME_selinux.spec
This file is an RPM SPEC file that can be used to install the SELinux policy on to
machines and setup the labeling. The spec file also installs the interface file and
a man page describing the policy. You can use sepolicy manpage -d NAME to generate
the man page.
Shell File NAME.sh
This is a helper shell script to compile, install and fix the labeling on your test
system. It will also generate a man page based on the installed policy, and compile
and build an RPM suitable to be installed on other machines

- the unique type to describe this application is my_app_t.
- SELinux tells us we’ll be executing this file with my_app_exec_t.
- this program will run as a service: init_daemon_domain(my_app_t, my_app_exec_t).

The next row is about log permission errors ( but let the application continue to run).

permissive my_app_t;

The next rows show how the application use file permissions and if the application will use Unix steam.
Don't change it , you can get a google search to see more examples with this type of allow.

The domain_use_interactive_fds and term_use_all_terms support operations where SSH allocates a tty for the user( example the allow fifo_file supports the opposite).
The my_app want to read from /etc folder with files_read_etc_files.
The auth_use_nsswitch also can adds rules allowing access to NIS/YPBIND ports.
The miscfiles_read_localization is about localization code.

To better understand this tutorial, you can create a folder in your home directory and then test it with a different application from Fedora 27.
One good example: sepolgen --init /opt/firefox .

Sunday, December 17, 2017

The Go programming language was created at Google in 2009 by Robert Griesemer, Rob Pike, and Ken Thompson.
The Go often referred to as golang is a programming language created at Google.
Using go with Fedora 27 is very simple , just install it with dnf tool.

#sudo dnf install golang

To use it with atom editor you need to install the atom editor , see this tutorial.
The next step is to set the atom editor with the packages for go programming language, like:

Thursday, December 14, 2017

The atom editor is a very good free and open-source text and source code editor for macOS, Linux, and Microsoft Windows.
This editor come with support for plug-ins written in Node.js, and embedded Git Control, developed by GitHub and more features.
Today I will show you how to install this tool with teletype into Fedora 27 distro linux.
Go to the Atom homepage from your web browser and click to download the RPM version.
Use this command to install it:

$sudo su
#cd Download
# dnf install atom.x86_64.rpm

Let's see this install:
The next step is to use teletype from atom.

Just install the teletype package into atom editor into settings area.
The teletype tool introduces the concept of real-time "portals" for sharing workspaces.
This tool uses WebRTC to encrypt all communication between collaborators.
Use the teletype with one click on the radio tower icon in the Atom status bar.
This will open a dialog into the right of the screen and ask you for teletype token.
You can get this token from here.
After you put the token then use the check button to share your content and atom teletype will get a ID.
Just share this ID with your development team to share your work.

Tuesday, December 12, 2017

About the Cockpit the official website tell us:Cockpit makes Linux discoverable, allowing sysadmins to easily perform tasks such as starting containers, storage administration, network configuration, inspecting logs and so on.
If you use Fedora 27 the this tool can be used very easy.
If your Fedora Spin don't come with this tool then you can install it with this command:

#dnf -y install cockpit

First you need to follow this steps:
- starting Cockpit requires only a single command:

#systemctl start cockpit

- we’ll configure it to start on boot with:

#systemctl enable cockpit.socket

- you can check the status of Cockpit with:

#systemctl status cockpit

- the Cockpit tool runs on port 9090, so you’ll need to allow it through the firewall with this command:

#firewall-cmd --add-service=cockpit

- or simply add with the open port with:

#firewall-cmd --permanent --add-port=9090/tcp

- you now should reload the firewall for the rule to take effect:

#firewall-cmd --reload

Testing is the next step by log into Cockpit from your localhost (your server’s IP address) with your server’s root credentials.
Once you logged in you’ll see the Dashboard web page containing information about the server itself and graphs showing CPU and Memory Usage as well as Disk I/O and Network Traffic.
Let's see the Dashboard:

System come with infos about your system;

Logs displays the server’s system and service logs. That allows you to click on any entry for more detailed information, such as the process ID.

Storage gives you a graphical look at disk reads and writes, and also allows you to view relevant logs. Also, you can set up and manage RAID devices and volume groups, and format, partition, and mount/unmount drives.

Networking contains an overview of inbound and outbound traffic, logs and network interface information. You also can configure the network interface from this page.

Containers allows you to manage your Docker containers. You can search for new containers, add or remove containers, start and stop them, and set runtime variables on this page.

Accounts lets you to : add and manage users, set up and change passwords, and add and manage public SSH keys for each user.

Services lists all services, and clicking on any entry takes you to a detail page showing the service log and allowing you to start/stop, enable/disable, reload/isolate, or mask/unmask each service.

Terminal let you a fully functional terminal, with tab completion, allowing you to perform any task you could perform through its web interface.This come with the same privileges your login credentials would allow via SSH.

Friday, December 8, 2017

Today I made a summary of selinux.
This is a protection and security utility in linux operating systems.
It is quite complex and requires a little guidance in learning.
The basic thing is to secure a grid that matches the security gaps.
The tutorial today simply exemplifies how you can change these rules.
First, check with these commands for the status of selinux:

This will change the selinux target type to user_home_t .
That will allow firefox to run with this label (like that users) are allowed to read/write and manage.
This is the default label for all content in a users home directory.
This last command try to prevent confined applications from being able to read and write this content just from users home.

Thursday, December 7, 2017

I tested today a simple instalation of this package: dnf install swift.
This install come with all additional packets required for running .
This is an application ... First, I thought in the first phase that they implemented a programming language from Apple .
Take a look at this screenshot:

Saturday, December 2, 2017

Today I test how to install dotnet from Microsoft team development with Fedora 27.
The Microsoft team come with RedHat packages version - 7.3 and is an old type of packages.
They show us this old way how to deal with this issue , see this link.
I used this command lines into sudo user:

As you can see the dotnet working well with Fedora 27.
I would have preferred a classic dnf installation for reasons of later incompatibility.
This fact only indicates a tangential interest and a clear reason in microsoft capabilities to cover dotnet's area of interest versus linux distributions.